Dec 9, 2010

Static route issue

If you made a typo when setting up static routes, it could result in a persistent route. For example, if you want to implement a static route for 10.10.10.0/24 but you write a wrong netmask, you are not able to remove that route:

asa(config)# route inside 10.10.10.0 255.255.25.0 192.168.100.254
asa(config)# no route inside 10.10.10.0 255.255.25.0 192.168.100.254
%No matching route to delete

The CLI performs a logical AND operation on the netmask and the IP address. In this case, 10 AND 25 = 8:

asa(config)# sh run route
route inside 10.10.8.0 255.255.25.0 192.168.100.254 1
route outside 0.0.0.0 0.0.0.0 192.0.2.254 1

asa# sh route | b Gateway
Gateway of last resort is 192.0.2.254 to network 0.0.0.0

S    10.10.8.0 255.255.255.255 [1/0] via 192.168.100.254, inside
C    192.0.2.0 255.255.255.0 is directly connected, outside
C    192.168.100.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 192.0.2.254, outside

Then we can try to remove the static route for 10.10.8.0:

asa(config)# no route inside 10.10.8.0 255.255.25.0 192.168.100.254

asa# sh run route
route outside 0.0.0.0 0.0.0.0 192.0.2.254 1

It works, but the static route has not been removed from the routing table:

asa# sh route | b Gateway
Gateway of last resort is 192.0.2.254 to network 0.0.0.0

S    10.10.8.0 255.255.255.255 [1/0] via 192.168.100.254, inside
C    192.0.2.0 255.255.255.0 is directly connected, outside
C    192.168.100.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 192.0.2.254, outside

If we want to get rid of that route, we need to create and remove a static route for 10.10.8.0/32:

asa(config)# route inside 10.10.8.0 255.255.255.255 192.168.100.254

asa# sh run route
route outside 0.0.0.0 0.0.0.0 192.0.2.254 1
route inside 10.10.8.0 255.255.255.255 192.168.100.254 1

asa(config)# no route inside 10.10.8.0 255.255.255.255 192.168.100.254

asa# sh run route
route outside 0.0.0.0 0.0.0.0 192.0.2.254 1

Now it really worked as expected:

asa# sh route | b Gateway
Gateway of last resort is 192.0.2.254 to network 0.0.0.0

C    192.0.2.0 255.255.255.0 is directly connected, outside
C    192.168.100.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 192.0.2.254, outside


asa(config)# end
asa# wr mem

4 comments:

  1. Thanks. I had this exact issue with a route that was defined but not shown in the running config. I followed your steps and it worked perfectly.

    ReplyDelete
  2. I'm glad to know that it helped you :D

    ReplyDelete
  3. This was invaluable in helping me fix an issue this morning... I put a subnet in as 255.255.253.0 instead of 255.255.254.0 =/ I DID have to reload the ASA completely to get it to finally let go of that damned "route" but she finally did. Thank you very much!

    ReplyDelete